[Openswan dev] Re: [Openswan Users]
Michael Richardson
mcr at xelerance.com
Wed Jan 4 12:17:20 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
Paul> The cards cannot and should not rewrite ipsec packets. Any
Paul> change will break the authenticity of the packet. IPsec
Paul> protects against packet rewriting, whether it is done by the
Paul> good or the bad guys.
It is possible that the flag in the SKB that says to do the offload is
not getting cleared by KLIPS.
Paul> Note that I said "ipsec packets". I menat protocol 50 and
Paul> 51. If we are talking about NAT-T poackets, eg ESPinUDP
Paul> packets, then it should be possible to do hardware offloading
Paul> of the outer UDP packet. What packets did you see this
Paul> behaviour for?
We set the UDP checksum to 0 on NAT-T packets. UDP checksum is a waste
of time, when we have the HMAC to authenticate the data.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBQ7wDGoCLcPvd0N1lAQLD/Qf+Pgz6kWmjFQ/CV5SpnTUkUkxXT9rd/PzM
/PQoElARSCeKPjzx069RC9tL4fF7A24I7PT5o10jbAmXXD7efKRG32ZfJutPUzxJ
qPjGV4U8phXJSoxwdXUjdQV4Ueo946RByTBrOiKd5kEogt3Otv9J6TJ/SNjrZWPh
dVhfOIctHP5bdNaPvyk6ooSiKu6CC8OPE1BIV2EGljscJ7B3iPQO3lOfEOdzNnvk
HZgJ7ryKmVoGDZ3sXHsPn9Jp0CwY5Ed32iesQyTC5aqfY5RvlQuZ2aJwZHJN2S15
L3PXDfHGv0wmjRU+76CEDiAB01DczZ04PZ/zGO4v956orpGvpxvmIQ==
=SJAq
-----END PGP SIGNATURE-----
More information about the Dev
mailing list